AVG Anti virus Data collection And knowledge Base
Threat Info
I-Worm/Nuwar
Propagation method of new Nuwar variant is still similar to its precedessors. Spammed mails with link in IP format directs users to the worm web pages where the users are prompted to download one of the worm files with the name funny.exe. Names of other downloadable files are kickme.exe and foolsday.exe. AVG detects this threat as I-Worm/Nuwar.R.
April 17, 2008
I-Worm/Nuwar
New Nuwar variant spreading method is similar to Nuwar.L last month propagation. Spammed emails are brief containing link in IP format to currently working pages with worm. Compromised page code is changed and as a result user is prompted to download file with worm. Downloaded filename is valentine.exe it's about 110 - 130kB long and it's detected by AVG as I-Worm/Nuwar.N.
February 12, 2008
I-Worm/Nuwar
We have a new wave of spammed mail messages containing link directing users to website where the worm could be downloaded. Emails contains short text and IP address of currently working pages with worm. In this case downloaded filename is withlove.exe and it's about 115kB in size. Websites and worm files changes every few minutes. AVG detects withlove.exe as I-Worm/Nuwar.L.
January 15, 2008
Downloader.Tibs
A new Downloader.Tibs variant is spreading today thanks to massive spamming. Infected emails contains about 130-140kB long attachment, usually with name happy2008.exe, which is trojan horse itself. There are also emails with links directing users to a malicious web pages. The files are already detected as Downloader.Tibs.
December 25, 2007
Win32/Mabezat.A
In last few days we`ve registered a larger amount of PE files infected by this virus. Win32/Mabezat is polymorphic file infector which infects PE files. More information could be found in our Virus Encyclopedia.
November 14, 2007
Trojan Downloader.Agent.UZM
A new Trojan Downloader was spammed today. Trojan is attached in zip archive to emails in HTML format with subject "Hot game" and body text that claims some Angelina Jolie or Lara Croft undressing game. xgame.zip attachment contains xgame.exe (20992B) which drops executes and deletes kernel driver C:\WINDOWS\System32\drivers\runtime.sys and downloads another downloader smartdrv.exe. runtime.sys runs injects and hides Iexplore.exe process and downloads another components. xgame.exe is detected as Trojan Downloader.Agent.UZM, smartdrv.exe is detected as Trojan Downloader.Agent.UZN, runtime.sys is detected as Trojan Downloader.Agent.THW and other downloaded components are detected as several variants of Trojan Backdoor.Ntrootkit.
November 10, 2007
I-Worm/Stration downloader
Next Stration downloader variant spreads by email in messages with randomly generated subject and body with two attachments. PDF attachment is harmless but EXE attachment which is 18708B long is downloader itself and AVG detects it as I-Worm/Stration. More information about Stration worm familly can be found in the Virus Encyclopedia.
November 5, 2007
I-Worm/Stration downloader
Latest Stration downloader spreads by email in messages with randomly generated subject and body with one EXE and one PDF file attached. EXE file is 20992B in size and it`s downloader itself which is detected by AVG as I-Worm/Stration.FJA. The file downloader tryes to download is already detected as I-Worm/Stration. More information about Stration worm familly can be found in the Virus Encyclopedia.
November 1, 2007
Stration downloader
A new Stration downloader was seeded during todays morning using mail messages where subject and body are variable and which contains two attachments, one with pdf extension and second with exe extension which is 4096B in size and it`s downloader itself. AVG detect this threat as Trojan horse Downloader.Generic6.PFM. Downloader tryes to download and install Stration to affect system, but Stration download link is no longer active. More information about Stration worm familly can be found in the Virus Encyclopedia.
October 19, 2007
DATA collection from Kaspersky
The term “virus” is often loosely used in reference to any type of malicious program, or it is used to describe any negative event that a malicious program causes to a host system.
In the simplest terms, a virus is defined as program code that replicates from one host file to another. This simple definition leaves room for further sub-division, which has become necessary due to the evolution of malicious code over the last two decades.
Computer Viruses can be further classified by the types of objects they infect, the method used to select a potential host, and infection technique.
Infection by type: Boot sector and multipartite viruses infect boot sectors and key operating system startup files (primarily COMMAND.COM).
File viruses infect application .COM and .EXE files. Word Macro and Excel Macro viruses infect Microsoft Word .DOC and .XLS files, respectively.
Classified by the method they use to select their host: “Indirect action file viruses” load into memory and hook into the system interrupt table(s) so they can infect as files are accessed. Conversely, “direct action file viruses” do not become a memory resident, they simply infect a file (or files) when an infected program is run.
Infection technique: “Appending viruses” add code to the end of a host file, while “Prepending viruses” insert their code at the beginning of a host file, effectively "shifting up" the program's original code. Overwriting viruses replace the host file completely with their own code causing irreparable damage to the original host file. By contrast, companion viruses and link viruses avoid adding code to a host file at all.
Companion viruses create a file of the same name, but with an extension that is higher up in the execution hierarchy. Link viruses manipulate FAT (file allocation table) entries.
There are viruses that fail to work altogether. This could due to a bug in the original programming of the virus or a natural corruption (for example, a devolving virus eventually corrupts itself to the point that it can no longer function). One wonders how such corruptions can be classified as viruses at all, and yet they are the bane of the anti-virus industry. Corrupted samples show up all too often in well-intended comparative reviews, and can badly skew test results.
17-01-2009 Latest virus
------------------------------------------------------------------------------------------------------------
Name of malicious program Update released 17 January 09
not-a-virus
orn-Dialer.Win32.InstantAccess.evf
Trojan-Spy.Win32.Agent.qku
Trojan-Spy.Win32.Agent.qkt
Trojan.Win32.Monderb.afbo
Trojan.Win32.Monderb.afbn
not-a-virus:WebToolbar.Win32.FenomenGame.poc
not-a-virusorn-Dialer.Win32.InstantAccess.evh
not-a-virusorn-Dialer.Win32.InstantAccess.evg
Backdoor.Win32.PcClient.aazo
Trojan.Win32.Monder.aoih
Trojan-GameThief.Win32.OnLineGames.ullm
Trojan-GameThief.Win32.OnLineGames.ulll
Exploit.Win32.IMG-WMF.ou
Trojan-Downloader.Win32.BHO.bzr
Rootkit.Win32.Ressdt.ma
Trojan-Spy.Win32.Agent.qkn
Backdoor.Win32.Bifrose.ajve
Trojan-Spy.Win32.Agent.qkm
Trojan.Win32.Monder.aoig
Trojan-Spy.Win32.Agent.qko
Trojan-Downloader.Win32.BHO.bzs
Trojan-Spy.Win32.Agent.qkp
Trojan-Spy.Win32.Agent.qkr
not-a-virusorn-Dialer.Win32.InstantAccess.eve
Trojan.Win32.Agent.bipl
Trojan.Win32.Buzus.ahxb
Trojan.Win32.Monderb.afbm
Trojan.Win32.Buzus.ahxa
Backdoor.Win32.Rbot.ykt
Worm.Win32.AutoRun.xuy
Symantec Found These viruses
------------------------------------------------------------------------------------------------------------
Packed.Generic.205 Trojan, Virus, Worm 01/15/2009
WiniGuard Misleading Application 01/09/2009
W32.Grenail.D!inf Virus 01/08/2009
W32.Grenail.C!inf Virus 01/08/2009
W32.Downadup!autorun Worm 01/07/2009
TotalProtect2009 Misleading Application 01/05/2009
Bloodhound.PDF.5 Trojan 01/05/2009
Bloodhound.PDF.4 Trojan 01/05/2009
Bloodhound.Exploit.223 Trojan, Virus, Worm 01/02/2009
Threat Info
I-Worm/Nuwar
Propagation method of new Nuwar variant is still similar to its precedessors. Spammed mails with link in IP format directs users to the worm web pages where the users are prompted to download one of the worm files with the name funny.exe. Names of other downloadable files are kickme.exe and foolsday.exe. AVG detects this threat as I-Worm/Nuwar.R.
April 17, 2008
I-Worm/Nuwar
New Nuwar variant spreading method is similar to Nuwar.L last month propagation. Spammed emails are brief containing link in IP format to currently working pages with worm. Compromised page code is changed and as a result user is prompted to download file with worm. Downloaded filename is valentine.exe it's about 110 - 130kB long and it's detected by AVG as I-Worm/Nuwar.N.
February 12, 2008
I-Worm/Nuwar
We have a new wave of spammed mail messages containing link directing users to website where the worm could be downloaded. Emails contains short text and IP address of currently working pages with worm. In this case downloaded filename is withlove.exe and it's about 115kB in size. Websites and worm files changes every few minutes. AVG detects withlove.exe as I-Worm/Nuwar.L.
January 15, 2008
Downloader.Tibs
A new Downloader.Tibs variant is spreading today thanks to massive spamming. Infected emails contains about 130-140kB long attachment, usually with name happy2008.exe, which is trojan horse itself. There are also emails with links directing users to a malicious web pages. The files are already detected as Downloader.Tibs.
December 25, 2007
Win32/Mabezat.A
In last few days we`ve registered a larger amount of PE files infected by this virus. Win32/Mabezat is polymorphic file infector which infects PE files. More information could be found in our Virus Encyclopedia.
November 14, 2007
Trojan Downloader.Agent.UZM
A new Trojan Downloader was spammed today. Trojan is attached in zip archive to emails in HTML format with subject "Hot game" and body text that claims some Angelina Jolie or Lara Croft undressing game. xgame.zip attachment contains xgame.exe (20992B) which drops executes and deletes kernel driver C:\WINDOWS\System32\drivers\runtime.sys and downloads another downloader smartdrv.exe. runtime.sys runs injects and hides Iexplore.exe process and downloads another components. xgame.exe is detected as Trojan Downloader.Agent.UZM, smartdrv.exe is detected as Trojan Downloader.Agent.UZN, runtime.sys is detected as Trojan Downloader.Agent.THW and other downloaded components are detected as several variants of Trojan Backdoor.Ntrootkit.
November 10, 2007
I-Worm/Stration downloader
Next Stration downloader variant spreads by email in messages with randomly generated subject and body with two attachments. PDF attachment is harmless but EXE attachment which is 18708B long is downloader itself and AVG detects it as I-Worm/Stration. More information about Stration worm familly can be found in the Virus Encyclopedia.
November 5, 2007
I-Worm/Stration downloader
Latest Stration downloader spreads by email in messages with randomly generated subject and body with one EXE and one PDF file attached. EXE file is 20992B in size and it`s downloader itself which is detected by AVG as I-Worm/Stration.FJA. The file downloader tryes to download is already detected as I-Worm/Stration. More information about Stration worm familly can be found in the Virus Encyclopedia.
November 1, 2007
Stration downloader
A new Stration downloader was seeded during todays morning using mail messages where subject and body are variable and which contains two attachments, one with pdf extension and second with exe extension which is 4096B in size and it`s downloader itself. AVG detect this threat as Trojan horse Downloader.Generic6.PFM. Downloader tryes to download and install Stration to affect system, but Stration download link is no longer active. More information about Stration worm familly can be found in the Virus Encyclopedia.
October 19, 2007
DATA collection from Kaspersky
The term “virus” is often loosely used in reference to any type of malicious program, or it is used to describe any negative event that a malicious program causes to a host system.
In the simplest terms, a virus is defined as program code that replicates from one host file to another. This simple definition leaves room for further sub-division, which has become necessary due to the evolution of malicious code over the last two decades.
Computer Viruses can be further classified by the types of objects they infect, the method used to select a potential host, and infection technique.
Infection by type: Boot sector and multipartite viruses infect boot sectors and key operating system startup files (primarily COMMAND.COM).
File viruses infect application .COM and .EXE files. Word Macro and Excel Macro viruses infect Microsoft Word .DOC and .XLS files, respectively.
Classified by the method they use to select their host: “Indirect action file viruses” load into memory and hook into the system interrupt table(s) so they can infect as files are accessed. Conversely, “direct action file viruses” do not become a memory resident, they simply infect a file (or files) when an infected program is run.
Infection technique: “Appending viruses” add code to the end of a host file, while “Prepending viruses” insert their code at the beginning of a host file, effectively "shifting up" the program's original code. Overwriting viruses replace the host file completely with their own code causing irreparable damage to the original host file. By contrast, companion viruses and link viruses avoid adding code to a host file at all.
Companion viruses create a file of the same name, but with an extension that is higher up in the execution hierarchy. Link viruses manipulate FAT (file allocation table) entries.
There are viruses that fail to work altogether. This could due to a bug in the original programming of the virus or a natural corruption (for example, a devolving virus eventually corrupts itself to the point that it can no longer function). One wonders how such corruptions can be classified as viruses at all, and yet they are the bane of the anti-virus industry. Corrupted samples show up all too often in well-intended comparative reviews, and can badly skew test results.
17-01-2009 Latest virus
------------------------------------------------------------------------------------------------------------
Name of malicious program Update released 17 January 09
not-a-virus
orn-Dialer.Win32.InstantAccess.evf Trojan-Spy.Win32.Agent.qku
Trojan-Spy.Win32.Agent.qkt
Trojan.Win32.Monderb.afbo
Trojan.Win32.Monderb.afbn
not-a-virus:WebToolbar.Win32.FenomenGame.poc
not-a-virus
orn-Dialer.Win32.InstantAccess.evh not-a-virus
orn-Dialer.Win32.InstantAccess.evg Backdoor.Win32.PcClient.aazo
Trojan.Win32.Monder.aoih
Trojan-GameThief.Win32.OnLineGames.ullm
Trojan-GameThief.Win32.OnLineGames.ulll
Exploit.Win32.IMG-WMF.ou
Trojan-Downloader.Win32.BHO.bzr
Rootkit.Win32.Ressdt.ma
Trojan-Spy.Win32.Agent.qkn
Backdoor.Win32.Bifrose.ajve
Trojan-Spy.Win32.Agent.qkm
Trojan.Win32.Monder.aoig
Trojan-Spy.Win32.Agent.qko
Trojan-Downloader.Win32.BHO.bzs
Trojan-Spy.Win32.Agent.qkp
Trojan-Spy.Win32.Agent.qkr
not-a-virus
orn-Dialer.Win32.InstantAccess.eve Trojan.Win32.Agent.bipl
Trojan.Win32.Buzus.ahxb
Trojan.Win32.Monderb.afbm
Trojan.Win32.Buzus.ahxa
Backdoor.Win32.Rbot.ykt
Worm.Win32.AutoRun.xuy
Symantec Found These viruses
------------------------------------------------------------------------------------------------------------
Packed.Generic.205 Trojan, Virus, Worm 01/15/2009
WiniGuard Misleading Application 01/09/2009
W32.Grenail.D!inf Virus 01/08/2009
W32.Grenail.C!inf Virus 01/08/2009
W32.Downadup!autorun Worm 01/07/2009
TotalProtect2009 Misleading Application 01/05/2009
Bloodhound.PDF.5 Trojan 01/05/2009
Bloodhound.PDF.4 Trojan 01/05/2009
Bloodhound.Exploit.223 Trojan, Virus, Worm 01/02/2009
